Getting back to the basics.
Keywords: [attack vector, backdoor, best practice, control system, denial of service, engineering, exploit, firewall, HAZOP, industrial control, malware, MMP, network, patch, reliability, risk analysis, risk reduction, security, threat, TCO, Trojan horse, trusted system, user privilege, VLAN, virus, vulnerability, worm]
To understand the techniques for securing a computer system, it is important to first understand the various types of threats or attacks that can be made against it.
Abstract
In this paper Eugene Coetzee discusses the types of security vulnerabilities with which modern industrial control systems must contend, the impact of security on system reliability, malware, the differentiation between control systems and IT systems and good engineering practice as an essential element of control system security.
Coetzee then discusses risk analysis and risk reduction techniques. The paper includes a detailed case study of an incident at a nuclear plant where a computer virus disabled a safety monitoring system.
Introduction
Modern industrial control systems are implemented on commercial information technology (IT) platforms. The technical challenges that face the IT industry with regard to reliability and security are, therefore, also challenges encountered in control systems.
Although the challenges may be similar in nature due to the common technological building blocks, there are fundamental differences between control systems and IT systems that require a different approach in the way that reliability and security is achieved and sustained.
It has become common practice to adopt security solutions from the IT industry in control systems without due consideration for technical merits or the appropriateness of those solutions. Elaborate or complex security systems may, in fact, degrade the reliability and performance of a control system. It is important that control systems are engineered and managed with reliability and security as a primary objective. In the vast majority of implementations, reliability and security can be achieved through a thorough understanding of the basics principles of IT security combined with good engineering practice in the design, implementation and management of those principles.
Commercial IT platforms
The commercial IT platform is also popularly known as the PC or x86 platform. x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel.
The x86 architecture has dominated the desktop computer and small server markets since the 1980s. The PC has replaced the so called proprietary system of various control system vendors. The IBM PC runs, primarily, the following commercial operating systems:
* Microsoft Windows.
* MacOS.
* Unix-like operating systems including Linux and FreeBSD.
[Reference: http://en.wikipedia.org/wiki/X86].
The majority of commercial IT platforms are inherently insecure by design, default configuration or a combination of the two.
Most computer security techniques focus on external threats, and generally treat the computer system itself as a trusted system. Security experts see this as the cause of much of the insecurity of current computer systems. Once an attack has subverted a part of the system, access to most or all of the features of that system is obtained. Computer systems can be very complex, and many commercial platforms cannot be guaranteed to be free of defects - producing inherently insecure systems.
The trusted systems approach has been predominant in the design of many software products due to a policy of emphasising functionality and user-friendliness over security.
Vulnerabilities
To understand the techniques for securing a computer system, it is important to first understand the various types of threats or attacks that can be made against it. These attacks can typically be classified into one of the following categories:
* Exploits.
* Denial of service.
* Backdoor.
* Social engineering and human error.
* Eavesdropping.
Continued on the web
For the complete article visit.pdf www.instrumentation.co.za/+c9203
For more information contact Eugene Coetzee, Consultants-Online, +27 (0)18 293 3236, [email protected], www.consultants-online.co.za
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version